Method and system for detecting rogue security software that displays frequent misleading warnings

ABSTRACT

A method and apparatus for detecting rogue security software whereby a timeframe and a threshold pop-up score are defined. A user computing system is monitored/scanned for any pop-up events being presented to the user and once a pop-up event is detected, the source process, or application, associated with the pop-up event is identified. The identified source process is then monitored for at least the defined timeframe and each pop-up event associated with the identified source process in the defined timeframe is counted and used to compute a pop-up score for the identified source process. The pop-up score for the identified source process is then compared with the threshold pop-up score and if the pop-up score associated with the identified source process exceeds the threshold pop-up score, the status of the identified source process is transformed to the status of identified “suspect” source process.

BACKGROUND OF THE INVENTION

Rogue security software is a form of computer malware that deceives ormisleads users/victims into paying for the “fake”, or simulated, removalof malware, and/or, in some cases, removal of malware intentionallyintroduced by the rogue security software itself. In recent years, roguesecurity software has become a growing and serious security threat tocomputing systems and communication networks and it is estimated thatcurrently a full 15% or more of all malware is a form of rogue securitysoftware.

Herein, malware includes, but is not limited to, any software and/orcode designed to infiltrate a computing system without the owner'sinformed and/or explicit consent.

Rogue security software typically relies on social engineering in orderto defeat the security built into modern operating systems, browsersoftware, and security systems, and install itself onto users'/victims'computing systems. Most rogue security software has a Trojan horsecomponent which users/victims are misled into installing onto/into theircomputing systems. The Trojan horse may be disguised as, but is notlimited to: free online malware scanning services; a browser plug-in orextension (typically toolbar); an image, screensaver, or archive file,attached to an e-mail message; a multimedia codec allegedly, oractually, required to play a certain video clip; software shared onpeer-to-peer networks; and/or any other examples of the seeminglyever-evolving number of Trojan horse devices. In addition, some roguesecurity software is propagated onto a user/victim computing system asdrive-by downloads which exploit security vulnerabilities in webbrowsers or e-mail clients to install themselves without any manualinteraction by the user.

Once installed, the rogue security software typically generates multiplemalware alerts notifying the user/victim of the fake or simulateddetection of malware, pornography, or any other undesirable files, onthe user's/victim's computing system and/or displays an animationsimulating a fake system crash, and/or reboot of the user's/victim'scomputing system. In some instances, the rogue security softwareincludes detailed malware alerts and/or message boxes that list specificfiles that purportedly are the malware, are infected with the malware,and/or contain the malware. In some instances, the rogue securitysoftware alerts the user/victim to performance problems or the need toperform essential housekeeping on the user's/victim's computing system.In some cases, the rogue security software will hold the user hostage byrefusing to allow him or her to remove or fix the phantom problems untilthe “required” software is purchased and installed, and/or by thesimulated system reboots and/or lockups.

As noted above, the rogue security software typically attempts to scare,or annoy, the user/victim into taking a desired action, such as payingout money to “fix” the problem, by presenting authentic-looking pop-upwarnings and security alerts. These pop-up warnings and security alertsoften very accurately mimic legitimate system and/or security systemnotices to leverage the trust of the user/victim in vendors oflegitimate security software, and/or operating systems, and/orweb-sites, and/or businesses.

As result of this “marketing model” used by rogue security software,e.g., to scare and/or annoy the user/victim into taking the desiredaction, one very common feature, or behavior, associated with roguesecurity software is that the pop-up warnings and security alerts aregenerated fairly often, i.e., at a high repetition frequency, such asmultiple times per hour.

Once the rogue security software has alerted, and/or scared, theuser/victim into believing their system has been infected with malware,typically via the frequently generated pop-up warnings and securityalerts, the user/victim is then usually enticed to pay for malwareremoval services offered through the rogue security software to removethe fake, simulated, or intentionally introduced, malware. Often theuser/victim is then asked to provide credit card, or other payment,information to pay for the malware removal services. In some cases, theuser/victim is merely charged the stated amount for the malware removalservices, and therefore only the stated amount is effectively stolenfrom the user/victim. In other cases, the user's/victim's paymentinformation is used to steal lager amounts from the user/victim and/orto achieve identity theft.

Traditional methods of detecting rogue security software usinglegitimate security systems is a fairly time intensive and resourceconsuming process that is largely reactionary in nature. For instance,currently, an infected consumer of the security system first contactsthe security system provider and/or provides a sample of the suspectedrogue security software. Then, currently, researchers associated withthe security system typically download the suspected rogue securitysoftware itself and analyze the suspected rogue security software.Currently, once the suspected rogue security software is analyzed, if itis indeed found to be rogue security software, a sample of the roguesecurity software, or features/code defining the rogue securitysoftware, is added to a rogue security software signature database andfurther instances of the rogue security software are thereby, in theory,identifiable and stoppable.

As described above, current methods for detection of rogue securitysoftware using currently available legitimate security systems is, atbest, a time intensive and resource consuming reactionary process thatuses samples of the rogue security software itself to identify futureinstances of specific rogue security software. This means that, usingcurrently available security systems, even in a “best case”, scenario,identified rogue security software is provided significant time andopportunity to infect more systems, and create more victims, before anadequate defense is created and implemented.

To actual current situation is even worse than described above becausethe methods used by perpetrators of rogue security software have becomequite sophisticated and the perpetrators of rogue security software havebecome quite adept at changing the characteristic and operationalparameters associated with the rogue security software, such as names,version data, and web-pages, and/or Graphical User Interfaces (GUIs), toavoid detection, or respond to detection, of the rogue security softwareby various legitimate security systems. Consequently, while, in thepast, attackers mass-distributed a relatively small number of roguesecurity software versions, today they are generating and distributingmillions of randomly-generated variants of rogue security software, thatare often released as frequently as every few minutes, and sent to justa few targeted users at a time before the next set of variants aregenerated and distributed. As a result, currently, each user ispotentially infected by a unique variant of rogue security software.Thus, traditional definition/signature based approaches to identifyingand blocking rogue security software do not scale well to meet thischallenge, nor are they particularly effective.

In addition, any text-based methods of detecting rogue securitysoftware, such as creating definitions or signatures based on the textof the generated alert and/or warning, can also be ineffective becausethe warnings may be generated in any language, be made to mimic actualwarnings, and are also subject to multiple, and rapidly changed,variations.

As a result of the situation discussed above, rogue security software iscurrently a very serious threat that, thus far, has proven extremelydifficult to detect and block using currently available legitimatesecurity systems.

SUMMARY

According to one embodiment of a method and apparatus for detectingrogue security software, the behavioral characteristic associated withmost rogue security software of generating malware warnings and alertsas pop-ups at a high repetition frequency to scare the user/victim intosubmitting their payment information is used to proactively identifypotential rogue security software, as opposed to a detailed analysisand/or the use of specific definitions and/or signature data.

According to one embodiment of a method and apparatus for detectingrogue security software a timeframe is defined. In one embodiment, athreshold pop-up score is also defined. In one embodiment, the thresholdpop-up score is based strictly on a count of pop-up events in thedefined timeframe. In one embodiment, the threshold pop-up score isbased on a count of pop-up events in the defined timeframe and/or otherdefined factors/data. In one embodiment, if the pop-up score associatedwith a non-exempt process exceeds the threshold pop-up score, then thenon-exempt process is considered a “suspect” process. In one embodiment,a given user computing system is monitored/scanned for any pop-up eventsbeing presented to the user. In one embodiment, once a pop-up event isdetected, the source process, or application, associated with the pop-upevent is identified. In one embodiment, the identified source process ischecked against a list of known safe, or “exempt”, source processes and,if the source process is considered exempt, no further action is taken.In one embodiment, if the identified source process is not on the listof exempt processes, then the identified “non-exempt” source process ismonitored for at least the defined timeframe. In one embodiment, eachindependent pop-up event associated with the non-exempt source processin the defined timeframe is counted and added to a pop-up count, and/orpop-up score, for the non-exempt source process. In one embodiment, thepop-up score for the non-exempt source process is then compared with thethreshold pop-up score. In one embodiment, if the pop-up scoreassociated with the non-exempt source process exceeds the thresholdpop-up score, then the status of the non-exempt source process istransformed to the status of “suspect” source process and the nowidentified suspect source process is subjected to further analysisand/or corrective action.

Using the method and apparatus for detecting rogue security softwarediscussed herein, rogue security software is identified based onbehavioral characteristics, i.e., the frequent generation of pop-upevents, common to many forms, types, and instances of rogue securitysoftware, as opposed to specific definitions/signatures related tospecific versions/variations of rogue security software. Consequently,using the method and apparatus for detecting rogue security softwarediscussed herein, even when, as is currently the case, millions ofspecific variants of rogue security software are generated anddistributed as frequently as every few minutes and sent to relativelyfew targeted users at a time, the rogue security software can still beidentified, and potentially stopped, quickly, and efficiently, based onthe very “marketing model” used by rogue security software, i.e., toscare and/or annoy the user/victim into taking the desired action byfrequently displaying fake pop-up alerts and/or warnings.

In addition, the method and apparatus for detecting rogue securitysoftware discussed herein is effective regardless of the text, language,and/or type of appearance, of the pop-up warning and/or alert, or anyother features associated with pop-up warning/alert itself.

In addition, using the method and apparatus for detecting rogue securitysoftware discussed herein, the perpetrator cannot “defeat” the methodand apparatus for detecting rogue security software discussed herein bydecreasing the frequency of the pop-up warning and/or alert generatedwithout necessarily decreasing the effectiveness of the rogue securitysoftware, i.e., without adversely affecting the ability to scare and/orannoy the user/victim into taking the desired action by less frequentlydisplaying the fake pop-up alerts and/or warnings.

Consequently, using the method and apparatus for detecting roguesecurity software discussed herein, rogue security software is morereliably and quickly detected and, therefore, fewer users are likely tofall victim to these very serious and damaging scams.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an exemplary hardware architecture forimplementing one embodiment including user computing systems, acommunication network, a database, and a security system providercomputing system, in accordance with one embodiment;

FIG. 2 is a block diagram of an exemplary user computing system of FIG.1, in accordance with one embodiment;

FIG. 3 is a block diagram of an exemplary security system providercomputing system of FIG. 1, in accordance with one embodiment; and

FIG. 4 is a flow chart depicting a process for detecting rogue securitysoftware in accordance with one embodiment.

Common reference numerals are used throughout the FIG.s and the detaileddescription to indicate like elements. One skilled in the art willreadily recognize that the above FIG.s are examples and that otherarchitectures, modes of operation, orders of operation andelements/functions can be provided and implemented without departingfrom the characteristics and features of the invention, as set forth inthe claims.

DETAILED DESCRIPTION

Embodiments will now be discussed with reference to the accompanyingFIG.s, which depict one or more exemplary embodiments. The followingdescription includes reference to specific embodiments for illustrativepurposes. However, the illustrative discussion below is not intended tobe exhaustive or to limit the invention to the precise forms disclosed.Many modifications and variations are possible in view of the teachingsbelow. The embodiments discussed below were chosen and described inorder to explain the principles of the invention, and its practicalapplications, to thereby enable others skilled in the art to utilize theinvention and various embodiments with various modifications as may besuited to the particular use contemplated. Therefore, embodiments may beembodied in many different forms than those shown and discussed hereinand should not be construed as limited to the embodiments set forthherein, shown in the FIG.s, and/or described below.

According to one embodiment of a method and apparatus for detectingrogue security software, a timeframe is defined.

In various embodiments the timeframe is defined and/or selected duringwhich a source process will be monitored, as discussed below, tocalculate a “pop-up score” to be associated with a source process. Invarious embodiments the timeframe defined and/or selected can be anytimeframe desired. In various embodiments, the timeframe is selecteddepending on the desired level of protection and currently knownoperating characteristics of both “legitimate” processes and roguesecurity software at the time of installation and/or update.Consequently, in various embodiments, the time frame selected can be anyof, but not limited to: seconds, minutes, hours, days, or any timeframedesired.

In one embodiment, a threshold pop-up score is also defined. In oneembodiment, the threshold pop-up score is based strictly on a count ofpop-up events in the defined timeframe, i.e., in one embodiment, thethreshold pop-up score is the pop-up count for the defined timeframe. Inother embodiments, the threshold pop-up score is based on a count ofpop-up events in the defined timeframe and/or other defined secondaryscore factors/data such as, a reputation and prevalence score, and/orthe presence/absence of other factors that indicate a source process ismore, or less, likely, to be suspect. For instance, as a general rule,rogue security software would be expected to have a low prevalenceand/or an unknown reputation since rogue security software is typicallyrandomly generated and selectively distributed. In various embodiments,the secondary score factors/data are determined by the provider of theprocess for detecting rogue security software based on current dataavailable regarding rogue security software, and/or legitimate sourceprocesses. In this way, even though the process for detecting roguesecurity software is largely based on behavioral characteristics ofrogue security software, some definitions and/or signature type data canbe incorporated as well.

As discussed in more detail below, in one embodiment, the thresholdpop-up score is determined such that if the pop-up score associated witha non-exempt process is determined to exceed the threshold pop-up score,then the non-exempt process is considered a “suspect” process. Ingeneral, most legitimate processes do not automatically generatepop-ups, or pop-up windows, at a very high frequency, i.e., very often.In fact, even a few pop-ups while a user is active by a given processwould be considered annoying and indicative of rogue security software.Consequently, in various embodiments, this fact is used, at least inpart, to determine a threshold pop-up score to identify suspicioussource processes.

As noted above, in various embodiments, the threshold pop-up score isdetermined based on analysis of the pop-up scores associated with bothknown “legitimate” processes and known rogue security software. Invarious embodiments the threshold pop-up score is determined based onanomaly analysis and/or anomaly detections. Anomalies are deviationsfrom behaviors of normal, i.e., “legitimate” applications.

In various embodiments, a training environment is setup with knownsamples of good, i.e., “legitimate” processes, and bad, i.e., roguesecurity software processes, to record their behaviors and attributes,in this particular case, to determine the associated pop-up counts,and/or secondary score factors/data. In various embodiments, therecorded pop-up counts, and/or secondary score factors/data, for bothlegitimate and rogue security software processes is then fed into anyone of various custom machine learning algorithms which, in oneembodiment, analyze the information looking for certain patterns underthe direction of one more processors associated with one or morecomputing systems. In various embodiments, the relevant behaviors andattributes, i.e., the pop-up count data, and/or secondary scorefactors/data, is then used to categorize pop-up scores typicallyassociated with legitimate processes and/or pop-up scores typicallyassociated with rogue security software. In one embodiment, this data isthen used to determine a threshold pop-up score.

According to one embodiment, at least part of the process for detectingrogue security software is implemented by one or more processorsassociated with a user computing system and the user computing system ismonitored/scanned for any pop-ups, or pop-up windows, being presented tothe user at the user computing system. According to one embodiment, atleast part of the process for detecting rogue security software isimplemented by one or more processors associated with a security systemprovider computing system and the user computing system ismonitored/scanned for any pop-ups, or pop-up windows, being presented tothe user at the security system provider computing system.

Herein, the terms “pop-up”, “pop-up window, and “pop-up display”, areused interchangeably and include any graphical and/or textual displayshown to a user in an effort to attract a user's attention. As usedherein, the terms pop-up, or pop-up window, includes not only pop-upwindows displayed on a user interface screen, i.e., in the UIforeground, but also any other form of informational window such as atray or side bar display that is shown to a user in an effort to attracta user's attention. For instance, herein, the term pop-up, or pop-upwindow, includes, but is not limited to: any bubble display shown to auser in an effort to attract a user's attention; any text box shown to auser in an effort to attract a user's attention; any static graphicshown to a user in an effort to attract a user's attention; any animatedgraphic shown to a user in an effort to attract a user's attention; anyaudio element provided to a user in an effort to attract a user'sattention; or any other mechanism shown to a user in an effort toattract a user's attention as discussed herein, and/or as known in theart at the time of filing, and/or as developed after the time of filing.

In one embodiment, the given user computing system is monitored/scannedfor any type of pop-up, or pop-up window, including malware alerts,and/or any other system and/or application alerts and/or warnings,and/or any other type of pop-up, or pop-up window. In one embodiment,once a pop-up, or pop-up window, is detected, herein after referred toas a “pop-up event”, the source process, or application, associated withthe pop-up event is identified. In one embodiment, once a pop-up eventis detected, the source process, or application, associated with thepop-up event is identified by one or more processors associated with oneor more computing systems.

Methods, means, processes, and procedures for determining the sourceprocess of a pop-up window are known to those of skill in the art.Consequently, a more detailed discussion of specific methods, means,processes, and procedures for determining the source process of a pop-upwindow is omitted here to avoid detracting from the invention.

In one embodiment, the identified source process is checked against alist of known safe, or “exempt”, source processes and, if the sourceprocess is considered exempt, no further action is taken. In variousembodiments, the list of known safe, or exempt, source processes isgenerated by the provider of process for detecting rogue securitysoftware and is updated at regular intervals and/or as data is obtained.In various embodiments, the list of known safe, or exempt, sourceprocesses is generated based on user feedback. In various embodiments,the list of known safe, or exempt, source processes is generated basedon analysis performed by process for detecting rogue security software.In various embodiments, the list of known safe, or exempt, sourceprocesses is obtained from any source, or combination of sources, asdiscussed herein, and/or as known at the time of filing, and/or asdeveloped after the time of filing.

In addition, in one embodiment, the identified source process is checkedfor other defined secondary score factors/data associated with thesource process, such as a reputation and prevalence score or thepresence/absence of other factors that indicate the process is more, orless, likely, to be suspect.

In one embodiment, if the identified source process is not on the listof exempt processes, then the identified “non-exempt” source process ismonitored for at least the defined timeframe to determine a number ofpop-up events that occur in the defined timeframe that are associatedwith the non-exempt source process.

In one embodiment, the non-exempt source process is monitored for atleast the defined timeframe, and/or the number of pop-up events thatoccur in the defined timeframe that are associated with the non-exemptsource process is determined, by one or more processors associated withone more computing systems.

In one embodiment, each “independent pop-up event” associated with thenon-exempt source process in the defined timeframe is counted and addedto a pop-up count, and/or pop-up score, for the non-exempt sourceprocess. In one embodiment, an “independent pop-up event” is an instanceof a pop-up occurring for a first, or a “new” time. For instance, apop-up window that occurs and is then minimized by the user, only to bereopened by the user, is, in one embodiment, only a single “independent”pop-up event, regardless of how many times the user reopens the pop-upwindow. However, a pop-up window that occurs, is closed by the user, andthen reoccurs, is treated as two “independent” pop-up events, and eachreoccurrence of the pop-up window after the user closes the pop-upwindow is considered another independent pop-up event.

In one embodiment, the pop-up score for the non-exempt source process isthen computed. As noted above, in various embodiments, the pop-up scorefor the non-exempt source process is calculated based entirely on thecount of pop-up events in the defined timeframe that were associatedwith a non-exempt process. In other embodiments, the pop-up score forthe non-exempt source process is calculated based on the count of pop-upevents in the defined timeframe that were associated with the non-exemptprocess and/or other defined secondary score factors/data associatedwith the non-exempt process, such as a reputation and prevalence scoreor the presence/absence of other factors that indicate the process ismore, or less, likely, to be suspect. As noted above, as a general rule,rogue security software would be expected to have a low prevalenceand/or an unknown reputation since rogue security software is typicallyrandomly generated and selectively distributed. As also noted above, invarious embodiments, the secondary score factors/data associated withthe non-exempt process are determined by the provider of the process fordetecting rogue security software based on current data availableregarding rogue security software. In this way, even though the processfor detecting rogue security software is largely based on behavioralcharacteristics of rogue security software, some generalized definitionsand/or signature type data can be incorporated as well.

In one embodiment, the pop-up score for the non-exempt source process isdetermined using one or more processors associated with one or morecomputing systems.

In one embodiment, the calculated/determined pop-up score for thenon-exempt source process is then compared with the threshold pop-upscore. In one embodiment, the calculated/determined pop-up score for thenon-exempt source process is compared with the threshold pop-up scoreusing one or more processors associated with one or more computingsystems.

In one embodiment, if the pop-up score associated with the non-exemptsource process exceeds the threshold pop-up score, then the status ofthe non-exempt source process is transformed to the status of “suspect”source process. In one embodiment, if the pop-up score associated withthe non-exempt source process exceeds the threshold pop-up score, thestatus of the non-exempt source process is transformed to the status of“suspect” source process using one or more processors associated withone or more computing systems.

In one embodiment, the now identified suspect source process issubjected to further analysis and/or removal. In one embodiment, thepop-ups associated with the now identified suspect source process arelabeled as being potentially generated by rogue security software andthe user is prevented from seeing, and/or responding to, at leastwithout a warning, the pop-ups until a more definitive analysis can beperformed.

In one embodiment, once a more definitive analysis is performed, if thepop-up is deemed to be generated by rogue security software, signaturedata for the pop-up and/or the non-exempt source process, now identifiedas rogue security software, is stored in a rogue security softwareand/or rogue security software pop-up database and the data in the roguesecurity software and/or rogue security software pop-up database is usedto identify future instances of the pop-up as being rogue securitysoftware pop-ups and/or to refine the threshold pop-up score and/or theassociated secondary score factors/data.

As one specific and illustrative example of the operation of oneembodiment of a process for detecting rogue security software, assumethe timeframe is defined to be “1 hour” and the pop-up threshold scoreis set at “4”. Further assume a pop-up event is detected on a usercomputing system. In this specific and illustrative example of theoperation of one embodiment of a process for detecting rogue securitysoftware:

1. The source process responsible for the pop-up event on the desktop isidentified;

2. The identified source process is checked against a list of “exempt”source processes and is not found to be on the list of exempt sourceprocesses;

3. Reputation and prevalence information is queried from a backendsystem for the identified source process;

4. Assume the identified source process is determined to have lowprevalence and has an unknown reputation. As a result, the identifiedsource process is assessed a penalty score of “1” to be added to thepop-up count of the identified source process;

5. Steps 1 through 3 are repeated for each independent pop-up eventdetected over the defined timeframe of an hour;

6. A pop-up count is determined for the identified source process forthe defined timeframe, in this example assume the pop-up countassociated with the identified source process is “4” in the definedtimeframe of one hour;

7. The low prevalence and unknown reputation penalty score of “1” isadded to pop-up count of “4” to yield a pop-up score of “5” for theidentified source process;

8. The identified source process pop-up score of “5” is compared to thedefined threshold pop-up score of “4”; and

9. Since the identified source process pop-up score of “5” is greaterthan the defined threshold pop-up score of “4”, the identified sourceprocess is tagged as a potential or “suspect” source application andfurther protective action is taken.

Using the process for detecting rogue security software discussedherein, rogue security software is identified based on behavioralcharacteristics, i.e., the frequent generation of pop-up events, commonto many forms, types, and instances of rogue security software, asopposed to specific definitions/signatures related to specificversions/variations of rogue security software. Consequently, using theprocess for detecting rogue security software discussed herein, evenwhen, as is currently the case, millions of specific variants of roguesecurity software are generated and distributed as frequently as everyfew minutes, and sent to relatively few targeted users at a time, therogue security software can still be identified, and potentiallystopped, quickly, and efficiently, based on the very “marketing model”used by rogue security software, i.e., to scare and/or annoy theuser/victim into taking the desired action by frequently displaying fakepop-up alerts and/or warnings.

In addition, the process for detecting rogue security software discussedherein is effective regardless of the text, language, and/or type ofappearance, of the pop-up warning and/or alert, or any other featuresassociated with pop-up warning/alert itself.

In addition, using the process for detecting rogue security softwarediscussed herein, the perpetrator cannot “defeat” the method andapparatus for detecting rogue security software discussed herein bydecreasing the frequency of the pop-up warning and/or alert generatedwithout necessarily decreasing the effectiveness of the rogue securitysoftware, i.e., without adversely affecting the ability to scare and/orannoy the user/victim into taking the desired action by less frequentlydisplaying the fake pop-up alerts and/or warnings.

Consequently, using the process for detecting rogue security softwarediscussed herein, rogue security software is more reliably and quicklydetected and, therefore, fewer users are likely to fall victim to thesevery serious and damaging scams.

Hardware

FIG. 1 shows a block diagram of an exemplary hardware system 10 suitablefor implementing one embodiment of a process for detecting roguesecurity software, such as exemplary process 400 of FIG. 4 discussedbelow. Returning to FIG. 1, exemplary hardware system 10 includes: oneor more user computing system(s) 100, including communicationinterface(s) 222; security system provider computing system 150,including communication interface 322; and database 170; allcommunicating via communication interfaces 222 and 322 and network 130.

In one embodiment, one or more of user computing system(s) 100 areclient computing systems. In one embodiment, one or more of usercomputing system(s) 100 are server computing systems that are, in turn,associated with one or more client computing systems. In one embodiment,one or more of user computing system(s) 100 are representative ofmultiple user computing systems. In one embodiment, one or more of usercomputing system(s) 100 are part of a cloud computing environment. Inone embodiment, user computing system(s) 100 are used, and/or areaccessible, by another computing system, such as security systemprovider computing system 150 (discussed below) or any one or more ofother user computing system(s) 100.

As used herein, the term “computing system”, such as is included in theterms “user computing system” and “security system provider computingsystem” includes, but is not limited to: a portable computer; aworkstation; a two-way pager; a cellular telephone; a smart phone; adigital wireless telephone; a Personal Digital Assistant (PDA); a mediaplayer, i.e., an MP3 player and/or other music and/or video player; aserver computer; an Internet appliance; or any other device thatincludes components that can execute all, or part, of any one of theprocesses and/or operations as described herein. In addition, as usedherein, the term computing system, can denote, but is not limited to,computing systems made up of multiple: computers; wireless devices;cellular telephones; digital telephones; two-way pagers; PDAs; mediaplayers; server computers; or any desired combination of these devices,that are coupled to perform the processes and/or operations as describedherein.

In various embodiments, user computing system(s) 100 can be anycomputing system as defined herein and/or as known in the art at thetime of filing and/or as developed thereafter, that includes componentsthat can execute all, or part, of a process for detecting rogue securitysoftware in accordance with at least one of the embodiments as describedherein. A more detailed discussion of user computing system(s) 100 isprovided below with respect to FIG. 2.

Returning to FIG. 1, in one embodiment, security system providercomputing system 150 is any computing system as defined herein and/or asknown in the art at the time of filing and/or as developed thereafter,that includes components that can execute all, or part, of a process fordetecting rogue security software in accordance with at least one of theembodiments as described herein and is accessible by, controlled by,and/or otherwise associated with, a security system provider. As usedherein, a security system provider includes, but is not limited to, anyparty, person, application, system, or entity that desires to identifyand block rogue security software.

In one embodiment, security system provider computing system 150 isrepresentative of two or more security system provider computingsystems. In one embodiment, security system provider computing system150 is a client computing system associated with one or more servercomputing systems. In one embodiment, security system provider computingsystem 150 is a server computing system that is, in turn, associatedwith one or more client computing systems that are users of one moresecurity systems provided through, or monitored by, the security systemprovider associated with security system provider computing system 150.In one embodiment, security system provider computing system 150 is partof a cloud computing environment. A more detailed discussion of securitysystem provider computing system 150 is provided below with respect toFIG. 3.

Also shown in FIG. 1 is database 170. In one embodiment, database 170 isa data storage device, a designated server system or computing system,or a designated portion of one or more server systems or computingsystems, such as computing system(s) 100 and/or security system providercomputing system 150, or a distributed database, or an external and/orportable hard drive. In one embodiment, database 170 is a dedicated massstorage device implemented in software, hardware, or a combination ofhardware and software. In one embodiment, database 170 is a web-basedfunction. As discussed in more detail below, in one embodiment, database170 is under the control of, or otherwise accessible by, a process fordetecting rogue security software, and/or a provider of a securitysystem and/or a security system provider computing system 150. In oneembodiment, database 170 is part of a cloud computing environment.

In one embodiment, computing system(s) 100, security system providercomputing system 150, and database 170 are coupled through network 130.In various embodiments, network 130 is any network, communicationsnetwork, or network/communications network system such as, but notlimited to, a peer-to-peer network, a hybrid peer-to-peer network, aLocal Area Network (LAN), a Wide Area Network (WAN), a public network,such as the Internet, a private network, a cellular network, acombination of different network types, or other wireless, wired, and/ora wireless and wired combination network capable of allowingcommunication between two or more computing systems, as discussedherein, and/or available or known at the time of filing, and/or asdeveloped after the time of filing.

In one embodiment, computing system(s) 100, security system providercomputing system 150, and database 170 are coupled in a cloud computingenvironment.

FIG. 2 is a more detailed block diagram of an exemplary user computingsystem(s) 100. As seen in FIG. 2, in one embodiment, user computingsystem(s) 100 include(s) one or more Central Processing Unit(s), CPU(s)201; user memory 230; at least one communication interface 222; anInput/Output interface, I/O interface 205, including one or more userinterface devices such as display device 213, keyboard 207, printer 209,and/or mouse 211; all interconnected by one or more communication buses202.

As also seen in FIG. 2, in one embodiment, user memory 230 can storedata and/or instructions associated with, but not limited to, thefollowing elements, subsets of elements, and/or super sets of elementsfor processing by one or more processors, such as CPU(s) 201 (FIG. 2)and/or 301 (FIG. 3): operating system 231 that includes procedures,data, and/or instructions for handling various services andperforming/coordinating hardware dependent tasks; network communicationsmodule 233 that includes procedures, data, and/or instructions, for,along with communication interface 222, connecting user computingsystem(s) 100 to other computing systems, such as other user computingsystem(s) 100 and/or security system provider computing system 150 ofFIG. 1, and/or a network, such as network 130 of FIG. 1, and/or adatabase, such as database 170 of FIG. 1; and security system module 241(FIG. 2) that includes procedures, data, and/or instructions, forimplementing at least part of a process for detecting rogue securitysoftware and/or identifying potential or “suspect” source processes orapplications on user computing system(s) 100.

As also seen in FIG. 2, in one embodiment, security system module 241 ofuser memory 230 includes timeframe and threshold pop-up score data 243that includes procedures, data, and/or instructions associated with adefined timeframe and a defined threshold pop-up score.

As also seen in FIG. 2, in one embodiment, security system module 241 ofuser memory 230 includes pop-up monitoring module 245 that includesprocedures, data, and/or instructions, associated with monitoring and/orscanning a given user computing system, such as user computing systems100 of FIG. 1, for any pop-up events being presented to the user.

As also seen in FIG. 2, in one embodiment, security system module 241 ofuser memory 230 includes exempt source process data 247 that includesprocedures, data, and/or instructions, associated with a list of knownsafe, or “exempt”, source processes that are exempt from monitoring andrequire no further action, and/or other defined factors/data.

As also seen in FIG. 2, in one embodiment, security system module 241 ofuser memory 230 includes source process determination module 249 thatincludes procedures, data, and/or instructions, for identifying thesource process, or application, associated with detected pop-up events.

As also seen in FIG. 2, in one embodiment, security system module 241 ofuser memory 230 includes pop-up score data 251 that includes procedures,data, and/or instructions, associated with tracking each independentpop-up event associated with a non-exempt source process in the definedtimeframe and calculating and storing a pop-up count, and/or pop-upscore, for the non-exempt source process.

As also seen in FIG. 2, in one embodiment, security system module 241 ofuser memory 230 includes analysis module 253 that includes procedures,data, and/or instructions, for analyzing and/or comparing the pop-upscore data for a non-exempt source process of pop-up score data 251 withthe threshold pop-up score data of timeframe and threshold pop-up scoredata 243.

As also seen in FIG. 2, in one embodiment, security system module 241 ofuser memory 230 includes status transformation module 255 that includesprocedures, data, and/or instructions, for transforming the status of anon-exempt source process whose pop-up score data 251 is determined tobe greater than the threshold pop-up score data of timeframe andthreshold pop-up score data 243 at analysis module 253 to a status of“suspect” source process.

Those of skill in the art will readily recognize that the choice ofcomponents, data, modules, and information shown in FIG. 2, theorganization of the components, data, modules, and information shown inFIG. 2, and the manner of storage and location of storage of the data,modules, and information shown in FIG. 2 was made for illustrativepurposes only and that other choices of components, data, modules, andinformation, organization of the components, data, modules, andinformation, manner of storing, and location of storage, of the data,modules, and information can be implemented without departing from thescope of the invention as set forth in the claims below. In particular,the various modules and/or data shown in FIG. 2 are illustrative onlyand not limiting. In various other embodiments, the particular modulesand/or data shown in FIG. 2 can be grouped together in fewer modulesand/or data locations or divided among more modules and/or datalocations. Consequently, those of skill in the art will recognize thatother orders and/or grouping are possible and the particular modulesand/or data, order, and/or grouping shown in FIG. 2 discussed herein donot limit the scope as claimed below.

A more detailed discussion of the operation of exemplary user computingsystem(s) 100, user memory 230, and security system module 241 of usermemory 230, is provided below with respect to FIG. 4.

FIG. 3 is a more detailed block diagram of an exemplary security systemprovider computing system 150. As seen in FIG. 3, in one embodiment,security system provider computing system 150 includes one or moreCentral Processing Unit(s), CPU(s) 301; security system memory system330; at least one communication interface 322; an Input/Outputinterface, I/O interface 305, including one or more user interfacedevices such as display device 313, keyboard 307, printer 309, and/ormouse 311; all interconnected by one or more communication buses 302.

As also seen in FIG. 3, in one embodiment, security system memory system330 can store data and/or instructions associated with, but not limitedto, the following elements, subsets of elements, and/or super sets ofelements for use in processing by one or more processors, such as CPU(s)201 (FIG. 2) and/or 301 (FIG. 3): operating system 331 that includesprocedures, data, and/or instructions for handling various services andperforming/coordinating hardware dependent tasks; network communicationsmodule 333 that includes procedures, data, and/or instructions, for,along with communication interface 322, connecting security systemprovider computing system 150 to other computing systems, such as usercomputing system(s) 100 and/or another security system providercomputing system, and/or a network, such as network 130 of FIG. 1,and/or a database, such as database 170 of FIG. 1; and security systemmodule 341 (FIG. 3) that includes procedures, data, and/or instructions,for implementing at least part of a process for detecting rogue securitysoftware and/or identifying potential or “suspect” source processes orapplications on user computing system(s) 100.

As also seen in FIG. 3, in one embodiment, security system module 341 ofuser memory 330 includes timeframe and threshold pop-up score data 343that includes procedures, data, and/or instructions associated with adefined timeframe and a defined threshold pop-up score.

As also seen in FIG. 3, in one embodiment, security system module 341 ofuser memory 330 includes pop-up monitoring module 345 that includesprocedures, data, and/or instructions, associated with monitoring and/orscanning a given user computing system, such as user computing systems100 of FIG. 1, for any pop-up events being presented to the user.

As also seen in FIG. 3, in one embodiment, security system module 341 ofuser memory 330 includes exempt source process data 347 that includesprocedures, data, and/or instructions, associated with a list of knownsafe, or “exempt”, source processes that are exempt from monitoring andrequire no further action and/or other defined factors/data.

As also seen in FIG. 3, in one embodiment, security system module 341 ofuser memory 330 includes source process determination module 349 thatincludes procedures, data, and/or instructions, for identifying thesource process, or application, associated with detected pop-up events.

As also seen in FIG. 3, in one embodiment, security system module 341 ofuser memory 330 includes pop-up score data 351 that includes procedures,data, and/or instructions, associated with tracking each independentpop-up event associated with a non-exempt source process in the definedtimeframe and calculating and storing a pop-up count, and/or pop-upscore, for the non-exempt source process.

As also seen in FIG. 3, in one embodiment, security system module 341 ofuser memory 330 includes analysis module 353 that includes procedures,data, and/or instructions, for analyzing and/or comparing the pop-upscore data for a non-exempt source process of pop-up score data 351 withthe threshold pop-up score data of timeframe and threshold pop-up scoredata 243.

As also seen in FIG. 3, in one embodiment, security system module 341 ofuser memory 330 includes status transformation module 355 that includesprocedures, data, and/or instructions, for transforming the status of anon-exempt source process whose pop-up score data 351 is determined tobe greater than the threshold pop-up score data of timeframe andthreshold pop-up score data 343 at analysis module 353 to a status of“suspect” source process.

Those of skill in the art will readily recognize that the choice ofcomponents, data, modules, and information shown in FIG. 3, theorganization of the components, data, modules, and information shown inFIG. 3, and the manner of storage and location of storage of the data,modules, and information shown in FIG. 3 was made for illustrativepurposes only and that other choices of components, data, modules, andinformation, organization of the components, data, modules, andinformation, manner of storing, and location of storage, of the data,modules, and information can be implemented without departing from thescope of the invention as set forth in the claims below. In particular,the various modules and/or data shown in FIG. 3 are illustrative onlyand not limiting. In various other embodiments, the particular modulesand/or data shown in FIG. 3 can be grouped together in fewer modulesand/or data locations or divided among more modules and/or datalocations. Consequently, those of skill in the art will recognize thatother orders and/or grouping are possible and the particular modulesand/or data, order, and/or grouping shown in FIG. 3 discussed herein donot limit the scope as claimed below.

A more detailed discussion of the operation of exemplary security systemprovider computing system 150, security system memory system 330,security system module 334 of security system memory system 330, anduser data module 343 of security system memory system 330 is providedbelow with respect to FIG. 4.

Process

According to one embodiment of a process for detecting rogue securitysoftware, the behavioral characteristic associated with most roguesecurity software of generating malware warnings and alerts as pop-upsat a high repetition frequency to scare the user/victim into submittingtheir payment information is used to proactively identify potentialrogue security software, as opposed to a detailed analysis and/or theuse of specific definitions and/or signature data.

According to one embodiment of a process for detecting rogue securitysoftware a timeframe is defined. In one embodiment, a threshold pop-upscore is also defined. In one embodiment, the threshold pop-up score isbased strictly on a count of pop-up events in the defined timeframe. Inone embodiment, the threshold pop-up score is based on a count of pop-upevents in the defined timeframe and/or other defined factors/data. Inone embodiment, if the pop-up score associated with a non-exempt processexceeds the threshold pop-up score, then the non-exempt process isconsidered a “suspect” process. In one embodiment, a given usercomputing system is monitored/scanned for any pop-up events beingpresented to the user. In one embodiment, once a pop-up event isdetected, the source process, or application, associated with the pop-upevent is identified. In one embodiment, the identified source process ischecked against a list of known safe, or “exempt”, source processes and,if the source process is considered exempt, no further action is taken.In one embodiment, if the identified source process is not on the listof exempt processes, then the identified “non-exempt” source process ismonitored for at least the defined timeframe. In one embodiment, eachindependent pop-up event associated with the non-exempt source processin the defined timeframe is counted and added to a pop-up count, and/orpop-up score, for the non-exempt source process. In one embodiment, thepop-up score for the non-exempt source process is then compared with thethreshold pop-up score. In one embodiment, if the pop-up scoreassociated with the non-exempt source process exceeds the thresholdpop-up score, then the status of the non-exempt source process istransformed to the status of “suspect” source process and the nowidentified suspect source process is subjected to further analysisand/or corrective action.

FIG. 4 is a flow chart depicting a process for detecting rogue securitysoftware 400 in accordance with one embodiment.

Process for detecting rogue security software 400 begins at ENTEROPERATION 401 and process flow proceeds to DEFINE A TIMEFRAME OPERATION403.

In one embodiment, at DEFINE A TIMEFRAME OPERATION 403 a timeframe isdefined.

In various embodiments, at DEFINE A TIMEFRAME OPERATION 403 thetimeframe is defined and/or selected during which a source process willbe monitored, as discussed below, to calculate a “pop-up score” to beassociated with a source process. In various embodiments the timeframedefined and/or selected can be any timeframe desired. In variousembodiments, the timeframe is selected depending on the desired level ofprotection and currently known operating characteristics of both“legitimate” processes and rogue security software at the time ofinstallation and/or update. Consequently, in various embodiments, thetime frame selected can be any of, but not limited to seconds, minutes,hours, days, or any timeframe desired.

In one embodiment, once a timeframe is defined at DEFINE A TIMEFRAMEOPERATION 403 process flow proceeds to DEFINE A THRESHOLD POP-UP SCOREOPERATION 405.

In one embodiment, at DEFINE A THRESHOLD POP-UP SCORE OPERATION 405 athreshold pop-up score is defined.

In one embodiment, at DEFINE A THRESHOLD POP-UP SCORE OPERATION 405 thethreshold pop-up score is based strictly on a count of pop-up events inthe defined timeframe, i.e., in one embodiment, the threshold pop-upscore is the pop-up count for the defined timeframe.

In other embodiments, at DEFINE A THRESHOLD POP-UP SCORE OPERATION 405the threshold pop-up score is based on a count of pop-up events in thedefined timeframe and/or other defined secondary score factors/data suchas, a reputation and prevalence score, and/or the presence/absence ofother factors that indicate a source process is more, or less, likely,to be suspect. For instance, as a general rule, rogue security softwarewould be expected to have a low prevalence and/or an unknown reputationsince rogue security software is typically randomly generated andselectively distributed.

In various embodiments, the secondary score factors/data are determinedby the provider of process for detecting rogue security software 400based on current data available regarding rogue security software,and/or legitimate source processes. In this way, even though process fordetecting rogue security software 400 is largely based on behavioralcharacteristics of rogue security software, some definitions and/orsignature type data can be incorporated as well.

As discussed in more detail below, in one embodiment, at DEFINE ATHRESHOLD POP-UP SCORE OPERATION 405 the threshold pop-up score isdetermined such that if the pop-up score associated with a non-exemptprocess is determined to exceed the threshold pop-up score, then thenon-exempt process is considered a “suspect” process.

In general, most legitimate processes do not automatically generatepop-ups, or pop-up windows, at a very high frequency, i.e., very often.In fact, even a few pop-ups while a user is active by a given processwould be considered annoying and indicative of rogue security software.Consequently, in various embodiments, at DEFINE A THRESHOLD POP-UP SCOREOPERATION 405 this fact is used, at least in part, to determine athreshold pop-up score to identify suspicious source processes.

As noted above, in various embodiments, at DEFINE A THRESHOLD POP-UPSCORE OPERATION 405 the threshold pop-up score is determined based onanalysis of the pop-up scores associated with both known “legitimate”processes and known rogue security software. In various embodiments thethreshold pop-up score is determined based on anomaly analysis and/oranomaly detections. Anomalies are deviations from behaviors of normal,i.e., “legitimate” applications.

In various embodiments, a training environment is setup with knownsamples of good, i.e., “legitimate” processes, and bad, i.e., roguesecurity software processes, to record their behaviors and attributes,in this particular case, to determine the associated pop-up counts,and/or secondary score factors/data. In various embodiments, therecorded pop-up counts, and/or secondary score factors/data, for bothlegitimate and rogue security software processes is then fed into anyone of various custom machine learning algorithms which, in oneembodiment, analyze the information looking for certain patterns underthe direction of one more processors associated with one or morecomputing systems. In various embodiments, the relevant behaviors andattributes, i.e., the pop-up count data, and/or secondary scorefactors/data, is then used to categorize pop-up counts, and/or secondaryscore factors/data, typically associated with legitimate processesand/or pop-up counts, and/or secondary score factors/data, typicallyassociated with rogue security software. In one embodiment, this data isthen used to determine a threshold pop-up score.

In one embodiment, once a threshold pop-up score is defined at DEFINE ATHRESHOLD POP-UP SCORE OPERATION 405, process flow proceeds toMONITOR/SCAN A GIVEN USER COMPUTING SYSTEM TO DETECT ONE OR MORE POP-UPEVENTS OPERATION 407.

In one embodiment, at MONITOR/SCAN A GIVEN USER COMPUTING SYSTEM TODETECT ONE OR MORE POP-UP EVENTS OPERATION 407 a user computing systemis monitored/scanned for any pop-up events being presented to the user.

In one embodiment, at MONITOR/SCAN A GIVEN USER COMPUTING SYSTEM TODETECT ONE OR MORE POP-UP EVENTS OPERATION 407 the user computing systemis monitored/scanned for any pop-up events being presented to the userby one or more processors, such as CPUs 201, 301 of FIG. 2 and FIG. 3,associated with a user computing system, such as user computing system100 of FIGS. 1 and 2, and/or security system provider computing system150 of FIGS. 1 and 3.

Returning to FIG. 4, in one embodiment, at MONITOR/SCAN A GIVEN USERCOMPUTING SYSTEM TO DETECT ONE OR MORE POP-UP EVENTS OPERATION 407 atleast part of process for detecting rogue security software 400 isimplemented by one or more processors, such as CPUs 201 of FIG. 2,associated with a user computing system, such as user computing system100 of FIGS. 1 and 2, and the user computing system is monitored/scannedfor any pop-ups, or pop-up windows, being presented to the user at thesecurity system provider computing system using a pop-up monitoringmodule, such as pop-up monitoring module 245, of security system module241, of user memory 230, of user computing system 100 of FIG. 2.

Returning to FIG. 4, in one embodiment, at MONITOR/SCAN A GIVEN USERCOMPUTING SYSTEM TO DETECT ONE OR MORE POP-UP EVENTS OPERATION 407 atleast part of process for detecting rogue security software 400 isimplemented by one or more processors, such as CPUs 301 of FIG. 3associated with a security system provider computing system and the usercomputing system is monitored/scanned for any pop-ups, or pop-upwindows, being presented to the user at the security system providercomputing system using an pop-up monitoring module, such as pop-upmonitoring module 345, of security system module 341, of user memory330, of security system provider computing system 150 of FIG. 3.

Herein, the terms “pop-up”, “pop-up window, and “pop-up display”, areused interchangeably and include any graphical and/or textual displayshown to a user in an effort to attract a user's attention. As usedherein, the terms pop-up, or pop-up window, includes not only pop-upwindows displayed on a user interface screen, i.e., in the UIforeground, but also any other form of informational window such as atray or side bar display that is shown to a user in an effort to attracta user's attention. For instance, herein, the term pop-up, or pop-upwindow, includes, but is not limited to: any bubble display shown to auser in an effort to attract a user's attention; any text box shown to auser in an effort to attract a user's attention; any static graphicshown to a user in an effort to attract a user's attention; any animatedgraphic shown to a user in an effort to attract a user's attention; anyaudio element provided to a user in an effort to attract a user'sattention; or any other mechanism shown to a user in an effort toattract a user's attention as discussed herein, and/or as known in theart at the time of filing, and/or as developed after the time of filing.

Returning to FIG. 4, in one embodiment, at MONITOR/SCAN A GIVEN USERCOMPUTING SYSTEM TO DETECT ONE OR MORE POP-UP EVENTS OPERATION 407 thegiven user computing system is monitored/scanned for any type of pop-up,or pop-up window, including malware alerts, and/or any other systemand/or application alerts and/or warnings, and/or any other type ofpop-up, or pop-up window.

In one embodiment, once a user computing system is monitored/scanned forany pop-up events being presented to the user at MONITOR/SCAN A GIVENUSER COMPUTING SYSTEM TO DETECT ONE OR MORE POP-UP EVENTS OPERATION 407process flow proceeds to DETECT A POP-UP EVENT OPERATION 409.

In one embodiment, at DETECT A POP-UP EVENT OPERATION 409 a pop-up eventis detected on the user computing system.

In one embodiment, at DETECT A POP-UP EVENT OPERATION 409 a pop-up eventis detected on the user computing system by one or more processors, suchas CPUs 201, 301 of FIG. 2 and FIG. 3, associated with a user computingsystem, such as user computing system 100 of FIGS. 1 and 2, and/orsecurity system provider computing system 150 of FIGS. 1 and 3.

In one embodiment, once a pop-up event is detected on the user computingsystem at DETECT A POP-UP EVENT OPERATION 409 process flow proceeds toDETERMINE THE SOURCE PROCESS ASSOCIATED WITH THE DETECTED POP-UP EVENTOPERATION 411.

In one embodiment, at DETERMINE THE SOURCE PROCESS ASSOCIATED WITH THEDETECTED POP-UP EVENT OPERATION 411 once a pop-up event is detected atDETECT A POP-UP EVENT OPERATION 409, the source process, or application,associated with the pop-up event is identified.

In one embodiment, at DETERMINE THE SOURCE PROCESS ASSOCIATED WITH THEDETECTED POP-UP EVENT OPERATION 411 once a pop-up, or pop-up window, isdetected, herein after referred to as a “pop-up event”, the sourceprocess, or application, associated with, and/or generating, the pop-upevent is identified.

In one embodiment, the source process, or application, associated withthe pop-up event is identified by one or more processors, such as CPUs201, 301 of FIG. 2 and FIG. 3, associated with a user computing system,such as user computing system 100 of FIGS. 1 and 2, and/or securitysystem provider computing system 150 of FIGS. 1 and 3.

Methods, means, processes, and procedures for determining the sourceprocess of a pop-up window are known to those of skill in the art.Consequently, a more detailed discussion of specific methods, means,processes, and procedures for determining the source process of a pop-upwindow is omitted here to avoid detracting from the invention.

Returning to FIG. 4, in one embodiment, once the source process, orapplication, associated with the pop-up event of DETECT A POP-UP EVENTOPERATION 409 is identified at DETERMINE THE SOURCE PROCESS ASSOCIATEDWITH THE DETECTED POP-UP EVENT OPERATION 411 process flow proceeds toDETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITH THE DETECTED POP-UPEVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413.

In one embodiment, at DETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITHTHE DETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413the identified source process of DETERMINE THE SOURCE PROCESS ASSOCIATEDWITH THE DETECTED POP-UP EVENT OPERATION 411 is checked against a listof known safe, or “exempt”, source processes.

In one embodiment, at DETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITHTHE DETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413the identified source process of DETERMINE THE SOURCE PROCESS ASSOCIATEDWITH THE DETECTED POP-UP EVENT OPERATION 411 is checked against a listof known safe, or “exempt”, source processes using a source processdetermination module, such as source process determination modules 249and 349 of FIGS. 2 and 3.

Returning to FIG. 4, in various embodiments, the list of known safe, orexempt, source processes used at DETERMINE THAT THE SOURCE PROCESSASSOCIATED WITH THE DETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCEPROCESS OPERATION 413 is generated by the provider of process fordetecting rogue security software 400 and is updated at regularintervals and/or as data is obtained.

In various embodiments, the list of known safe, or exempt, sourceprocesses used at DETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITH THEDETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413 isgenerated based on user feedback.

In various embodiments, the list of known safe, or exempt, sourceprocesses used at DETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITH THEDETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413 isgenerated based on analysis performed by process for detecting roguesecurity software 400.

In various embodiments, the list of known safe, or exempt, sourceprocesses used at DETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITH THEDETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413 isobtained from any source, or combination of sources, as discussedherein, and/or as known at the time of filing, and/or as developed afterthe time of filing.

In addition, in one embodiment, at DETERMINE THAT THE SOURCE PROCESSASSOCIATED WITH THE DETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCEPROCESS OPERATION 413 the identified source process is checked for otherdefined secondary score factors/data associated with the source process,such as a reputation and prevalence score or the presence/absence ofother factors that indicate the process is more, or less, likely, to besuspect.

In one embodiment, if at DETERMINE THAT THE SOURCE PROCESS ASSOCIATEDWITH THE DETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCE PROCESSOPERATION 413 the identified source process of DETERMINE THE SOURCEPROCESS ASSOCIATED WITH THE DETECTED POP-UP EVENT OPERATION 411 ischecked against a list of known safe, or “exempt”, source processes andthe source process is considered exempt, no further action is taken.

In one embodiment, if at DETERMINE THAT THE SOURCE PROCESS ASSOCIATEDWITH THE DETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCE PROCESSOPERATION 413 the identified source process of DETERMINE THE SOURCEPROCESS ASSOCIATED WITH THE DETECTED POP-UP EVENT OPERATION 411 is noton the list of exempt processes, then the status of the identifiedsource process is transformed to identified “non-exempt” source processand process flow proceeds to DETERMINE THE NUMBER OF INDEPENDENT POP-UPEVENTS ASSOCIATED WITH THE SOURCE PROCESS THAT OCCUR IN THE DEFINEDTIMEFRAME OPERATION 415.

In one embodiment, at DETERMINE THE NUMBER OF INDEPENDENT POP-UP EVENTSASSOCIATED WITH THE SOURCE PROCESS THAT OCCUR IN THE DEFINED TIMEFRAMEOPERATION 415 the identified “non-exempt” source process of DETERMINETHAT THE SOURCE PROCESS ASSOCIATED WITH THE DETECTED POP-UP EVENT IS A“NON-EXEMPT” SOURCE PROCESS OPERATION 413 is monitored for at least thedefined timeframe of DEFINE A TIMEFRAME OPERATION 403 to determine anumber of pop-up events that occur in the defined timeframe that areassociated with the non-exempt source process.

In one embodiment, at DETERMINE THE NUMBER OF INDEPENDENT POP-UP EVENTSASSOCIATED WITH THE SOURCE PROCESS THAT OCCUR IN THE DEFINED TIMEFRAMEOPERATION 415, the non-exempt source process is monitored for at leastthe defined timeframe, and/or the number of pop-up events that occur inthe defined timeframe that are associated with the non-exempt sourceprocess is determined, by one or more processors, such as CPUs 201, 301of FIG. 2 and FIG. 3, associated with a user computing system, such asuser computing system 100 of FIGS. 1 and 2, and/or security systemprovider computing system 150 of FIGS. 1 and 3.

Returning to FIG. 4, in one embodiment, at DETERMINE THE NUMBER OFINDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCE PROCESS THAT OCCURIN THE DEFINED TIMEFRAME OPERATION 415 each “independent pop-up event”associated with the non-exempt source process in the defined timeframeis counted and added to a pop-up count, and/or pop-up score, for thenon-exempt source process. In one embodiment, an “independent pop-upevent” is an instance of a pop-up occurring for a first, or a “new”time.

For instance, in one embodiment, at DETERMINE THE NUMBER OF INDEPENDENTPOP-UP EVENTS ASSOCIATED WITH THE SOURCE PROCESS THAT OCCUR IN THEDEFINED TIMEFRAME OPERATION 415 a pop-up window that occurs and is thenminimized by the user, only to be reopened by the user, is, in oneembodiment, only a single “independent” pop-up event, regardless of howmany times the user reopens the pop-up window. However, a pop-up windowthat occurs, is closed by the user, and then reoccurs, is treated as two“independent” pop-up events, and each reoccurrence of the pop-up windowafter the user closes the pop-up window is considered anotherindependent pop-up event.

In one embodiment, once the identified “non-exempt” source process ofDETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITH THE DETECTED POP-UPEVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413 is monitored for atleast the defined timeframe of DEFINE A TIMEFRAME OPERATION 403 todetermine a number of pop-up events that occur in the defined timeframethat are associated with the non-exempt source process at DETERMINE THENUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCE PROCESSTHAT OCCUR IN THE DEFINED TIMEFRAME OPERATION 415 process flow proceedsto DETERMINE A POP-UP SCORE FOR THE SOURCE PROCESS BASED, AT LEAST INPART, ON THE NUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THESOURCE PROCESS THAT OCCURRED IN THE DEFINED TIMEFRAME OPERATION 417.

In one embodiment, at DETERMINE A POP-UP SCORE FOR THE SOURCE PROCESSBASED, AT LEAST IN PART, ON THE NUMBER OF INDEPENDENT POP-UP EVENTSASSOCIATED WITH THE SOURCE PROCESS THAT OCCURRED IN THE DEFINEDTIMEFRAME OPERATION 417 each independent pop-up event associated withthe non-exempt source process in the defined timeframe of DETERMINE THENUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCE PROCESSTHAT OCCUR IN THE DEFINED TIMEFRAME OPERATION 415 is counted and used tocompute a pop-up score for the non-exempt source process.

In one embodiment, at DETERMINE A POP-UP SCORE FOR THE SOURCE PROCESSBASED, AT LEAST IN PART, ON THE NUMBER OF INDEPENDENT POP-UP EVENTSASSOCIATED WITH THE SOURCE PROCESS THAT OCCURRED IN THE DEFINEDTIMEFRAME OPERATION 417 the pop-up score for the non-exempt sourceprocess is determined using one or more processors, such as CPUs 201,301 of FIG. 2 and FIG. 3, associated with a user computing system, suchas user computing system 100 of FIGS. 1 and 2, and/or security systemprovider computing system 150 of FIGS. 1 and 3.

Returning to FIG. 4, as noted above, in various embodiments, atDETERMINE A POP-UP SCORE FOR THE SOURCE PROCESS BASED, AT LEAST IN PART,ON THE NUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCEPROCESS THAT OCCURRED IN THE DEFINED TIMEFRAME OPERATION 417 the pop-upscore for the non-exempt source process is calculated based entirely onthe count of pop-up events in the defined timeframe that were associatedwith a non-exempt process.

In other embodiments, at DETERMINE A POP-UP SCORE FOR THE SOURCE PROCESSBASED, AT LEAST IN PART, ON THE NUMBER OF INDEPENDENT POP-UP EVENTSASSOCIATED WITH THE SOURCE PROCESS THAT OCCURRED IN THE DEFINEDTIMEFRAME OPERATION 417 the pop-up score for the non-exempt sourceprocess is calculated based on the count of pop-up events in the definedtimeframe that were associated with a non-exempt process and/or otherdefined secondary score factors/data associated with the non-exemptprocess, such as a reputation and prevalence score or thepresence/absence of other factors that indicate the process is more, orless, likely, to be suspect.

As noted above, as a general rule, rogue security software would beexpected to have a low prevalence and/or an unknown reputation sincerogue security software is typically randomly generated and selectivelydistributed. As also noted above, in various embodiments, the secondaryscore factors/data associated with the non-exempt process are determinedby the provider of process for detecting rogue security software 400based on current data available regarding rogue security software. Inthis way, even though the process for detecting rogue security softwareis largely based on behavioral characteristics of rogue securitysoftware, some generalized definitions and/or signature type data can beincorporated as well.

In one embodiment, at DETERMINE A POP-UP SCORE FOR THE SOURCE PROCESSBASED, AT LEAST IN PART, ON THE NUMBER OF INDEPENDENT POP-UP EVENTSASSOCIATED WITH THE SOURCE PROCESS THAT OCCURRED IN THE DEFINEDTIMEFRAME OPERATION 417 the pop-up score for the non-exempt sourceprocess is determined using one or more processors, such as CPUs 201,301 of FIG. 2 and FIG. 3, associated with a user computing system, suchas user computing system 100 of FIGS. 1 and 2, and/or security systemprovider computing system 150 of FIGS. 1 and 3.

In one embodiment, once a pop-up score is determined for the non-exemptsource process at DETERMINE A POP-UP SCORE FOR THE SOURCE PROCESS BASED,AT LEAST IN PART, ON THE NUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATEDWITH THE SOURCE PROCESS THAT OCCURRED IN THE DEFINED TIMEFRAME OPERATION417 data representing the pop-up score determined for the non-exemptsource process is stored, in one embodiment, in a pop-up score datamodule, such as pop-up score data 251 and/or 351 of FIGS. 2 and 3.

In one embodiment, once each independent pop-up event associated withthe non-exempt source process in the defined timeframe of DETERMINE THENUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCE PROCESSTHAT OCCUR IN THE DEFINED TIMEFRAME OPERATION 415 is counted and used tocompute a pop-up score for the non-exempt source process at DETERMINE APOP-UP SCORE FOR THE SOURCE PROCESS BASED, AT LEAST IN PART, ON THENUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCE PROCESSTHAT OCCURRED IN THE DEFINED TIMEFRAME OPERATION 417 process flowproceeds to COMPARE THE POP-UP SCORE FOR THE SOURCE PROCESS WITH THETHRESHOLD POP-UP SCORE OPERATION 419.

In one embodiment, at COMPARE THE POP-UP SCORE FOR THE SOURCE PROCESSWITH THE THRESHOLD POP-UP SCORE OPERATION 419 the pop-up score for thenon-exempt source process of DETERMINE A POP-UP SCORE FOR THE SOURCEPROCESS BASED, AT LEAST IN PART, ON THE NUMBER OF INDEPENDENT POP-UPEVENTS ASSOCIATED WITH THE SOURCE PROCESS THAT OCCURRED IN THE DEFINEDTIMEFRAME OPERATION 417 is compared with the threshold pop-up score ofDEFINE A THRESHOLD POP-UP SCORE OPERATION 405.

In one embodiment, at COMPARE THE POP-UP SCORE FOR THE SOURCE PROCESSWITH THE THRESHOLD POP-UP SCORE OPERATION 419 the pop-up score for thenon-exempt source process of DETERMINE A POP-UP SCORE FOR THE SOURCEPROCESS BASED, AT LEAST IN PART, ON THE NUMBER OF INDEPENDENT POP-UPEVENTS ASSOCIATED WITH THE SOURCE PROCESS THAT OCCURRED IN THE DEFINEDTIMEFRAME OPERATION 417 is compared with the threshold pop-up score ofDEFINE A THRESHOLD POP-UP SCORE OPERATION 405 using one or moreprocessors, such as CPUs 201, 301 of FIG. 2 and FIG. 3, associated witha user computing system, such as user computing system 100 of FIGS. 1and 2, and/or security system provider computing system 150 of FIGS. 1and 3.

Returning to FIG. 4, in one embodiment, at COMPARE THE POP-UP SCORE FORTHE SOURCE PROCESS WITH THE THRESHOLD POP-UP SCORE OPERATION 419 thepop-up score for the non-exempt source process of DETERMINE A POP-UPSCORE FOR THE SOURCE PROCESS BASED, AT LEAST IN PART, ON THE NUMBER OFINDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCE PROCESS THATOCCURRED IN THE DEFINED TIMEFRAME OPERATION 417 is compared with thethreshold pop-up score of DEFINE A THRESHOLD POP-UP SCORE OPERATION 405using an analysis module, such as analysis module 253 and/or 353 ofFIGS. 2 and 3.

Returning to FIG. 4, in one embodiment, once the pop-up score for thenon-exempt source process of DETERMINE A POP-UP SCORE FOR THE SOURCEPROCESS BASED, AT LEAST IN PART, ON THE NUMBER OF INDEPENDENT POP-UPEVENTS ASSOCIATED WITH THE SOURCE PROCESS THAT OCCURRED IN THE DEFINEDTIMEFRAME OPERATION 417 is compared with the threshold pop-up score ofDEFINE A THRESHOLD POP-UP SCORE OPERATION 405 at COMPARE THE POP-UPSCORE FOR THE SOURCE PROCESS WITH THE THRESHOLD POP-UP SCORE OPERATION419 process flow proceeds to IF THE POP-UP SCORE FOR THE SOURCE PROCESSIS GREATER THAN THE THRESHOLD POP-UP SCORE, TRANSFORM THE STATUS OF THESOURCE PROCESS TO “SUSPECT” SOURCE PROCESS OPERATION 421.

In one embodiment, at IF THE POP-UP SCORE FOR THE SOURCE PROCESS ISGREATER THAN THE THRESHOLD POP-UP SCORE, TRANSFORM THE STATUS OF THESOURCE PROCESS TO “SUSPECT” SOURCE PROCESS OPERATION 421 if the pop-upscore associated with the non-exempt source process of DETERMINE APOP-UP SCORE FOR THE SOURCE PROCESS BASED, AT LEAST IN PART, ON THENUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCE PROCESSTHAT OCCURRED IN THE DEFINED TIMEFRAME OPERATION 417 exceeds thethreshold pop-up score of DEFINE A THRESHOLD POP-UP SCORE OPERATION 405,at COMPARE THE POP-UP SCORE FOR THE SOURCE PROCESS WITH THE THRESHOLDPOP-UP SCORE OPERATION 419, then the status of the non-exempt sourceprocess is transformed to the status of “suspect” source process.

In one embodiment, at IF THE POP-UP SCORE FOR THE SOURCE PROCESS ISGREATER THAN THE THRESHOLD POP-UP SCORE, TRANSFORM THE STATUS OF THESOURCE PROCESS TO “SUSPECT” SOURCE PROCESS OPERATION 421 the status ofthe non-exempt source process is transformed to the status of “suspect”source process using one or more processors, such as CPUs 201, 301 ofFIG. 2 and FIG. 3, associated with a user computing system, such as usercomputing system 100 of FIGS. 1 and 2, and/or security system providercomputing system 150 of FIGS. 1 and 3.

Returning to FIG. 4, in one embodiment, at IF THE POP-UP SCORE FOR THESOURCE PROCESS IS GREATER THAN THE THRESHOLD POP-UP SCORE, TRANSFORM THESTATUS OF THE SOURCE PROCESS TO “SUSPECT” SOURCE PROCESS OPERATION 421the status of the non-exempt source process is transformed to the statusof “suspect” source process using a status transformation module, suchas status transformation module 255 and/or 355 of FIGS. 2 and 3.

Returning to FIG. 4, in one embodiment, once the status of thenon-exempt source process is transformed to the status of “suspect”source process at IF THE POP-UP SCORE FOR THE SOURCE PROCESS IS GREATERTHAN THE THRESHOLD POP-UP SCORE, TRANSFORM THE STATUS OF THE SOURCEPROCESS TO “SUSPECT” SOURCE PROCESS OPERATION 421, process flow proceedsto TAKE PROTECTIVE ACTION AGAINST THE SUSPECT SOURCE PROCESS OPERATION423.

In one embodiment, at TAKE PROTECTIVE ACTION AGAINST THE SUSPECT SOURCEPROCESS OPERATION 423 the now identified suspect source process of IFTHE POP-UP SCORE FOR THE SOURCE PROCESS IS GREATER THAN THE THRESHOLDPOP-UP SCORE, TRANSFORM THE STATUS OF THE SOURCE PROCESS TO “SUSPECT”SOURCE PROCESS OPERATION 421 is subjected to further analysis and/orcorrective action.

In one embodiment, at TAKE PROTECTIVE ACTION AGAINST THE SUSPECT SOURCEPROCESS OPERATION 423, the pop-ups associated with the now identifiedsuspect source process are labeled as being potentially generated byrogue security software and the user is prevented from seeing, and/orresponding to, at least without a warning, the pop-ups until a moredefinitive analysis can be performed.

In one embodiment, at TAKE PROTECTIVE ACTION AGAINST THE SUSPECT SOURCEPROCESS OPERATION 423 once a more definitive analysis is performed, ifthe pop-up is deemed to be generated by rogue security software,signature data for the pop-up and/or the non-exempt source process, nowidentified as rogue security software, is stored in a rogue securitysoftware and/or rogue security software pop-up database and the data inthe rogue security software and/or rogue security software pop-updatabase is used to identify future instances of the pop-up as beingrogue security software pop-ups and/or to refine the threshold pop-upscore and/or the associated secondary score factors/data.

In one embodiment, once the now identified suspect source process of IFTHE POP-UP SCORE FOR THE SOURCE PROCESS IS GREATER THAN THE THRESHOLDPOP-UP SCORE, TRANSFORM THE STATUS OF THE SOURCE PROCESS TO “SUSPECT”SOURCE PROCESS OPERATION 421 is subjected to further analysis and/orcorrective action at TAKE PROTECTIVE ACTION AGAINST THE SUSPECT SOURCEPROCESS OPERATION 423 process flow proceeds to EXIT OPERATION 431. Inone embodiment, at EXIT OPERATION 431 process for detecting roguesecurity software 400 is exited to await new data.

As one specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, assumethe timeframe is defined at DEFINE A TIMEFRAME OPERATION 403 to be “1hour” and the pop-up threshold score is set at DEFINE A THRESHOLD POP-UPSCORE OPERATION 405 as “4”.

Further assume, at DETECT A POP-UP EVENT OPERATION 409, a pop-up eventis detected on a user computing system being monitored at MONITOR/SCAN AGIVEN USER COMPUTING SYSTEM TO DETECT ONE OR MORE POP-UP EVENTSOPERATION 407.

In this specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, thesource process responsible for the pop-up event on the desktop isidentified at DETERMINE THE SOURCE PROCESS ASSOCIATED WITH THE DETECTEDPOP-UP EVENT OPERATION 411.

In this specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, atDETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITH THE DETECTED POP-UPEVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413 the identifiedsource process is checked against a list of “exempt” source processesand is not found to be on the list of exempt source processes.

In this specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, also atDETERMINE THAT THE SOURCE PROCESS ASSOCIATED WITH THE DETECTED POP-UPEVENT IS A “NON-EXEMPT” SOURCE PROCESS OPERATION 413 reputation andprevalence information is queried from a backend system for theidentified source process. Further assume that the identified sourceprocess is determined to have low prevalence and has an unknownreputation. As a result, at DETERMINE THAT THE SOURCE PROCESS ASSOCIATEDWITH THE DETECTED POP-UP EVENT IS A “NON-EXEMPT” SOURCE PROCESSOPERATION 413 the identified source process is assessed a penalty scoreof “1” to be added to the pop-up count of the identified source process.

In this specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, atDETERMINE THE NUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THESOURCE PROCESS THAT OCCUR IN THE DEFINED TIMEFRAME OPERATION 415 apop-up count is determined for the identified source process for thedefined timeframe, in this example, assume the pop-up count associatedwith the identified source process is “4” in the defined timeframe ofone hour.

In this specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, atDETERMINE A POP-UP SCORE FOR THE SOURCE PROCESS BASED, AT LEAST IN PART,ON THE NUMBER OF INDEPENDENT POP-UP EVENTS ASSOCIATED WITH THE SOURCEPROCESS THAT OCCURRED IN THE DEFINED TIMEFRAME OPERATION 417 the lowprevalence and unknown reputation penalty score of “1” is added topop-up count of “4” to yield a pop-up score of “5” for the identifiedsource process.

In this specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, theidentified source process pop-up score of “5” is compared to the definedthreshold pop-up score of “4” at COMPARE THE POP-UP SCORE FOR THE SOURCEPROCESS WITH THE THRESHOLD POP-UP SCORE OPERATION 419.

In this specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, sincethe identified source process pop-up score of “5” is greater than thedefined threshold pop-up score of “4”, at IF THE POP-UP SCORE FOR THESOURCE PROCESS IS GREATER THAN THE THRESHOLD POP-UP SCORE, TRANSFORM THESTATUS OF THE SOURCE PROCESS TO “SUSPECT” SOURCE PROCESS OPERATION 421the identified source process is tagged as a potential or “suspect”source application.

Then, in this specific and illustrative example of the operation of oneembodiment of process for detecting rogue security software 400, furtherprotective action is taken at TAKE PROTECTIVE ACTION AGAINST THE SUSPECTSOURCE PROCESS OPERATION 423.

Using process for detecting rogue security software 400, rogue securitysoftware is identified based on behavioral characteristics, i.e., thefrequent generation of pop-up events, common to many forms, types, andinstances of rogue security software, as opposed to specificdefinitions/signatures related to specific versions/variations of roguesecurity software. Consequently, using process for detecting roguesecurity software 400, even when, as is currently the case, millions ofspecific variants of rogue security software are generated anddistributed as frequently as every few minutes, and sent to relativelyfew targeted users at a time, the rogue security software can still beidentified, and potentially stopped, quickly, and efficiently, based onthe very “marketing model” used by rogue security software, i.e., toscare and/or annoy the user/victim into taking the desired action byfrequently displaying fake pop-up alerts and/or warnings.

In addition, process for detecting rogue security software 400 iseffective regardless of the text, language, and/or type of appearance,of the pop-up warning and/or alert, or any other features associatedwith pop-up warning/alert itself.

In addition, using process for detecting rogue security software 400,the perpetrator cannot “defeat” the method and apparatus for detectingrogue security software discussed herein by decreasing the frequency ofthe pop-up warning and/or alert generated without necessarily decreasingthe effectiveness of the rogue security software, i.e., withoutadversely affecting the ability to scare and/or annoy the user/victiminto taking the desired action by less frequently displaying the fakepop-up alerts and/or warnings.

Consequently, using process for detecting rogue security software 400,rogue security software is more reliably and quickly detected and,therefore, fewer users are likely to fall victim to these very seriousand damaging scams.

In the discussion above, certain aspects of one embodiment includeprocess steps and/or operations and/or instructions described herein forillustrative purposes in a particular order and/or grouping. However,the particular order and/or grouping shown and discussed herein areillustrative only and not limiting. Those of skill in the art willrecognize that other orders and/or grouping of the process steps and/oroperations and/or instructions are possible and, in some embodiments,one or more of the process steps and/or operations and/or instructionsdiscussed above can be combined and/or deleted. In addition, portions ofone or more of the process steps and/or operations and/or instructionscan be re-grouped as portions of one or more other of the process stepsand/or operations and/or instructions discussed herein. Consequently,the particular order and/or grouping of the process steps and/oroperations and/or instructions discussed herein do not limit the scopeof the invention as claimed below.

Herein, embodiments have been discussed with reference to theaccompanying FIG.s, which depict one or more exemplary embodiments. Theabove description includes reference to specific embodiments forillustrative purposes. However, the illustrative discussion above is notintended to be exhaustive or to limit the invention to the precise formsdisclosed. Many modifications and variations are possible in view of theteachings below. The embodiments discussed above were chosen anddescribed in order to explain the principles of the invention, and itspractical applications, to thereby enable others skilled in the art toutilize the invention and various embodiments with various modificationsas may be suited to the particular use contemplated. Therefore,embodiments may be embodied in many different forms than those shown anddiscussed herein and should not be construed as limited to theembodiments set forth herein, shown in the FIG.s, and/or describedbelow. In addition, the nomenclature used for components, capitalizationof component designations and terms, the attributes, data structures, orany other programming or structural aspect is not significant,mandatory, or limiting, and the mechanisms that implement the inventionor its features can have various different names, formats, and/orprotocols. Further, the system and/or functionality of the invention maybe implemented via various combinations of software and hardware, asdescribed, or entirely in hardware elements. Also, particular divisionsof functionality between the various components described herein aremerely exemplary, and not mandatory or significant. Consequently,functions performed by a single component may, in other embodiments, beperformed by multiple components, and functions performed by multiplecomponents may, in other embodiments, be performed by a singlecomponent.

Some portions of the above description present the features of thepresent invention in terms of algorithms and symbolic representations ofoperations, or algorithm-like representations, of operations oninformation/data. These algorithmic and/or algorithm-like descriptionsand representations are the means used by those of skill in the art tomost effectively and efficiently convey the substance of their work toothers of skill in the art. These operations, while describedfunctionally or logically, are understood to be implemented by computerprograms and/or computing systems. Furthermore, it has also provenconvenient at times to refer to these arrangements of operations assteps or modules or by functional names, without loss of generality.

Unless specifically stated otherwise, as would be apparent from theabove discussion, it is appreciated that throughout the abovedescription, discussions utilizing terms such as “monitoring”,“defining”, “comparing”, “transforming”, “taking”, “detecting”,“analyzing”, “storing”, “saving”, “classifying”, “comparing”,“determining”, “processing”, “using”, “preventing”, “quarantining” etc.,refer to the action and processes of a computing system or similarelectronic device that manipulates and operates on data represented asphysical (electronic) quantities within the computing system memories,resisters, caches or other information storage, transmission or displaydevices.

Certain aspects of the present invention include process steps oroperations and instructions described herein in an algorithmic and/oralgorithmic-like form. It should be noted that the process steps and/oroperations and instructions of the present invention can be embodied insoftware, firmware, and/or hardware, and when embodied in software, canbe downloaded to reside on and be operated from different platforms usedby real time network operating systems.

The present invention also relates to an apparatus or system forperforming the operations described herein. This apparatus or system maybe specifically constructed for the required purposes, or the apparatusor system can comprise a general purpose system selectively activated orconfigured/reconfigured by a computer program stored on a computerprogram product as defined herein that can be accessed by a computingsystem or other device.

Those of skill in the art will readily recognize that the algorithms andoperations presented herein are not inherently related to any particularcomputing system, computer architecture, computer or industry standard,or any other specific apparatus. Various general purpose systems mayalso be used with programs in accordance with the teaching herein, or itmay prove more convenient/efficient to construct more specializedapparatuses to perform the required operations described herein. Therequired structure for a variety of these systems will be apparent tothose of skill in the art, along with equivalent variations. Inaddition, the present invention is not described with reference to anyparticular programming language and it is appreciated that a variety ofprogramming languages may be used to implement the teachings of thepresent invention as described herein, and any references to a specificlanguage or languages are provided for illustrative purposes only andfor enablement of the contemplated best mode of the invention at thetime of filing.

The present invention is well suited to a wide variety of computernetwork systems operating over numerous topologies. Within this field,the configuration and management of large networks comprise storagedevices and computers that are communicably coupled to similar and/ordissimilar computers and storage devices over a private network, a LAN,a WAN, a private network, or a public network, such as the Internet.

It should also be noted that the language used in the specification hasbeen principally selected for readability, clarity and instructionalpurposes, and may not have been selected to delineate or circumscribethe inventive subject matter. Accordingly, the disclosure of the presentinvention is intended to be illustrative, but not limiting, of the scopeof the invention, which is set forth in the claims below.

In addition, the operations shown in the FIG.s for method and apparatusand/or process or application for providing scroll bar enabled bookmarksin electronic document displays, discussed herein, are identified usinga particular nomenclature for ease of description and understanding, butother nomenclature is often used in the art to identify equivalentoperations.

Therefore, numerous variations, whether explicitly provided for by thespecification or implied by the specification or not, may be implementedby one of skill in the art in view of this disclosure.

What is claimed is:
 1. A computing system implemented process fordetecting rogue security software comprising: defining a timeframe formonitoring a source process; determining, using one or more processorsassociated with one or more computing systems, a threshold pop-up scoresuch that a source process having a pop-up score greater than thethreshold pop-up score is considered a suspect source process;monitoring, using the one or more processors associated with the one ormore computing systems, a user computing system to detect any pop-upsgenerated on the user computing system; detecting, using the one or moreprocessors associated with the one or more computing systems, a pop-upgenerated on the user computing system; identifying, using the one ormore processors associated with the one or more computing systems, asource process associated with the detected pop-up; monitoring, usingthe one or more processors associated with the one or more computingsystems, the identified source process associated with the detectedpop-up for at least the defined timeframe to determine a number ofpop-up events on the user computing system in the defined timeframeassociated with the identified source process, wherein a pop-up eventthat is minimized and later reopened by a user comprises one independentpop-up event; determining, using the one or more processors associatedwith the one or more computing systems, a pop-up score for theidentified source process, the pop-up score for the identified sourceprocess being based, at least in part, on the determined number ofpop-up events on the user computing system in the defined timeframeassociated with the identified source process, the popup score furtherbeing based on a reputation and prevalence score associated with theidentified source process, the reputation and prevalence score beingrepresentative of how well-known and wide-spread the identified sourceprocess is, wherein an unknown reputation and a low prevalence scorecauses the pop-up score to increase; comparing, using the one or moreprocessors associated with the one or more computing systems, the pop-upscore for the identified source process with the threshold pop-up score;and if the pop-up score for the identified source process is greaterthan the threshold pop-up score, using the one or more processorsassociated with the one or more computing systems to transform a statusof the identified source process to a status of identified suspectsource process.
 2. The computing system implemented process fordetecting rogue security software of claim 1, wherein the thresholdpop-up score is based on the number of pop-up events associated with asource process detected in the defined timeframe.
 3. The computingsystem implemented process for detecting rogue security software ofclaim 1, wherein the threshold pop-up score is based on the number ofpop-up events associated with a source process detected in the definedtimeframe and one or more associated secondary factors.
 4. The computingsystem implemented process for detecting rogue security software ofclaim 1, wherein the pop-up score for the identified source process isfurther determined based, at least in part, on the determined number ofpop-up events on the user computing system in the defined timeframeassociated with the identified source process and a reputationassociated with the identified source process.
 5. The computing systemimplemented process for detecting rogue security software of claim 1,further comprising: prior to using one or more processors associatedwith one or more computing systems to monitor the identified sourceprocess associated with the detected pop-up for at least the definedtimeframe; using one or more processors associated with one or morecomputing systems to determine if the identified source processassociated with the detected pop-up is an exempt process; and if theidentified source process associated with the detected pop-up is anexempt process taking no further action.
 6. The computing systemimplemented process for detecting rogue security software of claim 1,further comprising: if the pop-up score for the identified sourceprocess is greater than the threshold pop-up score, using one or moreprocessors associated with one or more computing systems to transform astatus of the identified source process to a status of identifiedsuspect source process and taking one or more protective measuresagainst the identified suspect source process.
 7. A system for detectingrogue security software comprising: a user computing system; a securitysystem provider computing system; and one or more processors associatedwith the user computing system, the one or more processors executing aprocess for detecting rogue security software comprising: defining atimeframe; determining a threshold pop-up score such that a sourceprocess having a pop-up score greater than the threshold pop-up score isconsidered a suspect source process; monitoring a user computing systemto detect any pop-ups generated on the user computing system; detectinga pop-up generated on the user computing system; identifying a sourceprocess associated with the detected pop-up; monitoring the identifiedsource process associated with the detected pop-up for at least thedefined timeframe to determine a number of pop-up events on the usercomputing system in the defined timeframe associated with the identifiedsource process; determining a pop-up score for the identified sourceprocess, the pop-up score for the identified source process being based,at least in part, on the determined number of pop-up events on the usercomputing system in the defined timeframe associated with the identifiedsource process, wherein a pop-up event that is minimized and laterreopened by a user comprises one independent pop-up event, the pop-upscore further being based on a reputation and prevalence scoreassociated with the identified source process, the reputation andprevalence score being representative of how well-known and wide-spreadthe identified source process is, wherein an unknown reputation and alow prevalence score causes the pop-up score to increase; using the oneor more processors associated with one or more computing systems tocompare the pop-up score for the identified source process with thethreshold pop-up score; and if the pop-up score for the identifiedsource process is greater than the threshold popup score, using the oneor more processors associated with one or more computing systems totransform a status of the identified source process to a status ofidentified suspect source process.
 8. The system for detecting roguesecurity software of claim 7, wherein the threshold pop-up score isbased on the number of pop-up events associated with a source processdetected in the defined timeframe.
 9. The system for detecting roguesecurity software of claim 7, wherein the threshold pop-up score isbased on the number of pop-up events associated with a source processdetected in the defined timeframe and one or more associated secondaryfactors.
 10. The system for detecting rogue security software of claim7, wherein the pop-up score for the identified source process is furtherdetermined based, at least in part, on the determined number of pop-upevents on the user computing system in the defined timeframe associatedwith the identified source process and a reputation associated with theidentified source process.
 11. The system for detecting rogue securitysoftware of claim 7, wherein the process for detecting rogue securitysoftware further comprises: prior to using the one or more processorsassociated with one or more computing systems to monitor the identifiedsource process associated with the detected pop-up for at least thedefined timeframe; using the one or more processors associated with oneor more computing systems to determine if the identified source processassociated with the detected pop-up is an exempt process; and if theidentified source process associated with the detected pop-up is anexempt process taking no further action.
 12. The system for detectingrogue security software of claim 7, wherein the process for detectingrogue security software further comprises: if the pop-up score for theidentified source process is greater than the threshold popup score,using one or more processors associated with one or more computingsystems to transform a status of the identified source process to astatus of identified suspect source process and taking one or moreprotective measures against the identified suspect source process.
 13. Amethod for detecting rogue security software comprising: defining atimeframe for monitoring a source process; determining a thresholdpop-up score such that a source process having a pop-up score greaterthan the threshold pop-up score is considered a suspect source process;monitoring a user computing system to detect any pop-ups generated onthe user computing system; detecting a pop-up generated on the usercomputing system; identifying a source process associated with thedetected pop-up; monitoring the identified source process associatedwith the detected pop-up for at least the defined timeframe to determinea number of pop-up events on the user computing system in the definedtimeframe associated with the identified source process; determining apop-up score for the identified source process, the pop-up score for theidentified source process being based, at least in part, on thedetermined number of pop-up events on the user computing system in thedefined timeframe associated with the identified source process, whereina pop-up event that is minimized and later reopened by a user comprisesone independent pop-up event, the pop-up score further being based on areputation and prevalence score associated with the identified sourceprocess, the reputation and prevalence score being representative of howwell-known and wide-spread the identified source process is, wherein anunknown reputation and a low prevalence score causes the pop-up score toincrease; comparing the pop-up score for the identified source processwith the threshold pop-up score; and if the pop-up score for theidentified source process is greater than the threshold pop-up score,transforming a status of the identified source process to a status ofidentified suspect source process.
 14. The method for detecting roguesecurity software of claim 13, wherein the threshold pop-up score isbased on the number of pop-up events associated with a source processdetected in the defined timeframe and one or more associated secondaryfactors.
 15. The method for detecting rogue security software of claim13, wherein the pop-up score for the identified source process isfurther determined based, at least in part, on the determined number ofpop-up events on the user computing system in the defined timeframeassociated with the identified source process and a reputationassociated with the identified source process.
 16. The method fordetecting rogue security software of claim 13, wherein, prior tomonitoring the identified source process associated with the detectedpop-up for at least the defined timeframe, determining if the identifiedsource process associated with the detected pop-up is an exempt process,and, if the identified source process associated with the detectedpop-up is an exempt process, taking no further action.
 17. The methodfor detecting rogue security software of claim 13, further comprising:if the pop-up score for the identified source process is greater thanthe threshold pop-up score, transforming a status of the identifiedsource process to a status of identified suspect source process andtaking one or more protective measures against the identified suspectsource process.